My friend Rich Mogull (ex-Gartner) recently posted an article in Dark Reading  called “iPhone Smackdown: Security v. Consumerization” that nicely summarizes the security problems that will arrive when employees being powerful consumer devices (like the iPhone) to work. His basic point is, “get over it; this stuff is coming whether you like it or not.” He then recommends three strategies IT departments should take to deal with it.Rich’s point is sound. It echoes what we at Yankee have been saying for over a year: consumer technologies are transforming IT. This is as inevitable as gravity, and the underlying reason is simple: the consumer technology experience is better than what corporate IT can offer. And the gap will keep getting wider. Consider that corporate capital depreciation cycles are three years. Consumer electronics product cycles have now compressed to about 6 months, one year max. That means, by definition, that the average employee is going to “feel left behind” two-thirds of the time. The same perceptual gap is present in software, too. Why buy (and capitalize) an expensive SPSS license when Swivel works does 90% of what you want? Or implement Remedy when GetSatisfaction.com is good enough? And of course, why tote around a clunky corporate Treo when you can smuggle in an iPhone that is half the thickness, lighter, nicer looking and a whole lot more fun?The key to dealing with rampant consumerization is to move to what we call Zen IT: an architectural approach that puts the right amount of scaffolding in place to allow employees to support themselves, regardless of what kind of shiny object they bring to work. With respect to security, Zen IT demands that enterprises master five key competencies:

1. Manage assets regardless of ownership
2. Make user identities portable
3. Control access to network resources
4. Control content as it moves
5. Secure customer-facing webware

Yankee Group described these strategies in detail in the April 2007 (!) presentation, Securing the Anywhere Enterprise (available to Link Research subscribers). I’d also point readers to colleague Josh Holbrook’s excellent report, Zen and the Art of Rogue Employee Management, to which Sheryl Kingstone, Zeus Kerravalla and I contributed.

We keep saying that ubiquitous connectivity will change how we work and how we play in the future. But did you ever think it would provide you with unlimited vacation days?

According to an article in the Sunday Boston Globe magazine, it does at Netflix. Netflix is one of the visionary companies who has done away with the traditional corporate policy of “two or three weeks off a year” and instituted a policy of “no set number of vacation days.” Salaried employees are allowed to spend as much or as little time out of the office as they want. The catch? They still have to ensure that they get all their work done, vacation days or not.

Now not requiring employees to take vacation may simply be corporate speak for no vacation at all as mobile phone-tethered executives check in as easily from Chile as from Chicago and answer email before and after their golf games. But what goes unsaid in the article is that Anywhere networks have given employees that choice. There is no rule that says employees must stay connected while on vacation. Connectivity simply gives them the option.

The Anywhere Network is reshaping the balance between work life and home life, and businesses and employees are still groping for the right answer. We can’t really say if the Netflix solution is the right or wrong approach (although from where I sit, it sound eminently reasonable assuming that appropriate management responsibility and authority). But there is one upside to businesses not mentioned in the article and that bears contemplation: when employees are entitled to unlimited vacation days, businesses don’t have to pay employees for unused ones.

The emergence of ubiquitous connectivity–changing the meaning of location in our lives as a global network lets us be wherever we want–provides enormously rich research fodder for Yankee Group analysts. The move to Anywhere is nothing more, but nothing less, than what we care about here.

Summer is for reading, and I enjoy seeing what our clients are reading of our analysts’ work. And read they do; to paraphrase Mark Twain, reports of the death of the written word are widely exaggerated. (Mostly spread, I suspect, by people who don’t like to write!) Here are the six most widely read reports by thousands of Yankee Group clients in the last three months — and what they have to say:

1. Anywhere Network Scorecard: Phil Marshall sets out Yankee Group’s unique assessment methodology for the work we’ve begun to score global network providers on their journey to building out the Anywhere Network.
2. Surviving the Digital Home: Josh Martin calls out the winners — technologies, behaviors, companies — in the game to build out the fully digital home environment. Given spiralling energy costs, it’s good to see that tele-working will improve dramatically.
3. Riding the Wave from Mobile Commerce to Mobile Transactions: Jon Paisner, Chris Collins, and Nick Spencer explain how and when mobile transactions will finally emerge after years of wishful thinking, as Anywhere Consumers embrace financial services on mobile devices.
4. Advancing Mobile Applications through Managed Services: Nick Spencer shows how application architectures and the IT channel play in increasing adoption of enterprise mobility.
5. Thinking Beyond Flat-Rate Business Models: Ari Banerjee says that next-generation business models for network providers–charging a premium for quality of service, for instance– means tackling new kinds of charging technologies inside the network itself.
6. Finding a Femto Future: Roberta Wiggins forecasts the world market for femtocell technology: cool in-home bandwidth distribution that’s a game-changer for consumer broadband. But she also sees potential beyond residential applications, into the SMB/SOHO markets too.

The first report is available free on our homepage; the others are only available to Yankee Group Link Research clients. Check them out — and tell me what else you think we should be investigating on the road to Anywhere.  Happy reading!

Today’s New York Times nominates Google as the Zen Master of the Anywhere Internet era because it is using network effects like Microsoft did during the PC revolution. Personally, I like Google’s chief economist’s reason better: the company focuses on learning from experience:

Google, it seems, is the emerging dominant company in the Internet era, much as Microsoft was in the PC era. The study of networked businesses, market competition and antitrust law is being reconsidered in a new context, shaped by Google. Google’s explanation for its large share of the Internet search market — more than 60 percent — is simply that it is a finely honed learning machine. Its scientists constantly improve the relevance of search results for users and the efficiency of its advertising system for advertisers and publishers.

“The source of Google’s competitive advantage is learning by doing,” said Hal R. Varian, Google’s chief economist.

But this isn’t your father’s learning by a few trials and errors. Google learns from what is rapidly becoming a new and powerful trend: organizing and learning from the petabytes of data it collects.

Read the rest of this entry »

I now officially declare cloud computing a mainstream trend. I say that not just because corporate America is embracing cloud computing; Agatha Poon’s and Gary Chen’s June 2008 report, Is Cloud Computing a New Force to Disrupt the Telcos’ Business? says it is. But the data point that put me over the top was this Washington Post article noting that email SPAM-generating companies are now avid users of Cloud Computing.
Read the rest of this entry »

Recently I’ve been asked by several publications to comment about mobile security, and more specifically about the security issues that we are seeing on smart mobile devices. Jim Finkle at Reuters did a nice job rounding up the usual suspects in a widely-circulated article that I recommend highly. In it, he quotes Symantec COO Enrique Salem (a smart cookie) and McAfee’s CEO Dave DeWalt (someone I have not met, but who is also said to be a smart cookie). He also solicited some insightful comments from Mark Rasch, a cyber-security lawyer I haven’t met, but whose SecurityFocus columns I have been reading and enjoying for years. I contributed my own little soundbite, which attempted to put things in perspective. All of these parties have interesting things to say, but a multi-interviewee story like Jim’s cannot give you the True Yankee Perspetive. So here it is.

Our take on “mobile security” has always been contrarian, and different from that voiced by the most popular interview subjects, namely security vendors. That camp’s position, grossly simplified, is this:

• Computers, particularly the Windows operating system, has long had a “malware problem.”
• Mobile phones are increasingly taking on computer-like features
• Because mobile phones are like computers, they will soon have malware too
• And because everyone has a phone, everyone will soon have malware

The general point is that endpoint security vendors see mobile phones as just another endpoint that will obviously have the same issues as other platforms they provide products for. In other words: mobile phone security is an adjacent market that they can safely expand into, because we all know that the problem space is the same, right? Right?

Elementary enough on its surface, the logic breaks down under casual scrutiny. The logical flaws remind Yankee Group of the old Woody Allen syllogism from Love and Death: A) Socrates is a man. B) All men are mortal. C) Therefore, all men are Socrates.

My folksy-philosopher dad likes to say that the old saying “seeing is believing” works in reverse, too. In other words: if you believe that a mobile malware maelstrom is approaching, you will see storm clouds everywhere.

Even when the storm clouds are just vapor.

Now, I won’t deny that certain mobile platforms (for example, Symbian) have had some problems with mobile malware. Most security analysts who follow the mobile world are well aware that there are many variants of CommWarrior and Skulls circulating out there. And yes, we know that BlueTooth auto-discovery could well allow phones to be hijacked at close range. Thank you, Sophos, for staging a media event that demonstrated this. Brilliant and well done. We also know that some end-users will be frustrated and occasionally tricked by SMS messages they receive from fraudsters. But misdirection and mischief (social engineering) is not the same thing as malware.

Where I part company with the vendors is the notion that somehow the mobile malware maelstrom is inevitable. Yankee Group has long maintained a consistent position on the coming mobile malware epidemic: there won’t be one. Breathless predictions of impending maladies — regularly recited by sellers of miracle tonics — cannot disguise the fact that the necessary preconditions for pervasive mobile malware do not exist, and never will. Here’s why the tonic-sellers’ logic is fatally flawed:

• Mobiles don’t have a monoculture operating system. Symbian, Windows Mobile, Android, iPhone and RIM all have significant shares, and we won’t see any of them gain more than 50% of the market.
• Malware has no obvious mass-infection vector. Short-range, rifle-shot BlueTooth promiscuities don’t count.
• Less-open operating environments. Most of the smartphone OSes (Symbian, iPhone, RIM for starters) require some form of digital signature to run a third-party application. This provides an audit trail, and gives the OS vendor (or carrier) an opportunity to revoke the certificate if the app misbehaves. I happen to like Apple’s model, because there’s one certificate issuer and thus one point of accountability. No, rogue apps run in jailbroken phones don’t count because they won’t be substantial.

None of these inconvenient facts seem to trouble security vendors too much, and every few months Yankee hears about another mobile security product launch. But mobile anti-malware software isn’t selling. John Thompson (Symantec CEO) more or less admitted it at this year’s Vision conference in Las Vegas, where he said that substantial investments in mobile security software wasn’t a very good use of shareholder money. Hats-off to JWT for telling the truth.

Setting the record straight on mobile security means talking straight about what is actually needed, and what is just hype. Enterprises certainly need the ability to remotely kill devices that have been stolen or lost. And certain kinds of mobile phones will probably also need encryption to keep sensitive contents safe from casual prying eyes. But on-board anti-malware software to prevent phones from contracting hypothetical future maladies? As Mike Rothman might say, “not so much.”

I’ve just begun researching a report with a working title of “Best of the Mobile Web.” As a result, I was pleasantly surprised to see that not only does OpenTable now seat three million diners a month, but it also has launched a mobile version of its web site. For those unfamiliar with the company, the premise is simple: it allows you to electronically find and book restaurant reservations. It is a great solution for those times when you want to plan a great meal in a new area, or simply want to explore new restaurants.

I think the mobile web version of this service is a perfect example of what the mobile web is good for. It has a simple, clear function, namely making restaurant reservations. It works on many mobile platforms; the fact it works on my BlackBerry’s limited browser is testament to its versatility. And it eschews Flash, graphics, and scripting in favor of a standard HTML pages that load quickly, even over slow wireless networks.

It’s too early to claim that OpenTable will be one of the best mobile web sites for my report. Every site has to be evaluated according to 25 Anywhere web criteria, so great content alone isn’t enough to land a spot on the list. Nonetheless, I have to say that OpenTable.com certainly has Anywhere appeal. After all, what’s the point of ubiquitious connectivity if you can’t find a place to eat dinner?

Last week I attended the Symantec WorldWide Industry Analyst Conference, co-located at the annual Symantec Vision conference in Las Vegas. Analyst conferences are always good opportunities to meet executives and, less often, to receive insights from customers.

A staple of analyst conferences, and of analyst slide decks, is something I call the We’re-So-Big Slide. WSB typically makes a forceful, quantitative statement about the core business asset the company possesses. For example:

• The number of sensors deployed in the field
• Assets under management
• Nodes monitored by a managed service

Symantec’s We’re-So-Big Slide is their Global Intelligence Network slide that shows how many countries they operate threat response centers in, and the number of sensors deployed in the field. These sensors serve as honeypots that capture malicious code and network traffic, and provide visibility to their anti-malware labs. They are very proud of their threat network, and rarely miss an opportunity to tell customers and analysts how many sensors they have.

Today’s first sighting of the The WSB Slide was provided by Symantec Chief Strategy Officer Greg Hughes. Yankee Group blog readers will be pleased to know that Symantec has 40,000 sensors deployed worldwide. For sure, all those sensors are helping their labs get lots of visibility into new threats.

The We’re-So-Big Slide is handy shorthand for “We’ve got an asset that is key to our success, and we are flogging it like a jockey on a racehorse. Just how much are we flogging it? So glad you asked. Here’s a slide that tells you exactly how much.”

I always look for The WSB Slide because it’s like an old friend: familiar, comforting and you don’t have to waste time getting re-acquainted. The WSB Slide also tells you something, if only subliminally, about what the company feels is important. There is a super-important downside to keep in mind with WSB, though, which I’ll discuss in a future blog post.

I recently wrote a new Yankee Group Decision Note titled “Considering Cloud Computing for the Anywhere Enterprise” (it isn’t on the Web site yet, but will be soon). In that note, I warn early adopters of cloud services — even those from such tried-and-true providers like Amazon.com — that they should understand five different risks, one of them being reliability risk, before they jump in with both feet.

That note feels a bit prescient today because Amazon.com’s main site, www.amazon.com, has been struggling to provide Web service today, instead providing error messages like the one shown above (click on the image for a larger version). And while I don’t think this has propagated to the Amazon Elastic Computing Cloud service, it does argue that even the top tier providers are a long way from a perfect record in providing non-stop service.

The bottom line:  transferring an IT function  — whether it be hosting a Web site, running a CRM system, or managing a data center — to someone else doesn’t mean you don’t have to worry about it. It just means you won’t be able to fix it yourself when it goes wrong.

If you find yourself feeling overwhelmed by Apple iPhone stories lately, rest assured you are not imagining it. I’ve been measuring iPhone “Buzz” since the product was introduced last year by simply asking Google News how many stories have been published with the word “iPhone” in them over the past 24 hours. Today, that number hit 23,524 stories in the last day. To put that in perspective, only 11,690 stories referenced the iPhone the day it launched on June 29, 2007, despite crowds lined up for days outside stores. The iPhone frenzy built throughout the month of July 2007 to a peak of 26,848 stories on July 29; it has never peaked so high since (see the figure above for details). But since that time, iPhone buzz has been below 20,000 stories a day — until this week. Read the rest of this entry »